Position Overview
This role sits within the 2nd Line of defence, where you will lead and support the business, managing cyber risk and information protection positions effectively. Protecting the business from security threats, by identifying risks and developing appropriate risk migration plans. Providing senior leadership with independent assurance of their cyber risk and information protection posture.
The role will work collaboratively with 1st Line cyber team to ensure business assurance plans are shared and the requirements of 2nd Line are understood.
You will also take the lead in delivering a defined list of cyber assurance reviews, projects, and initiatives as well as achieving the cyber assurance and compliance related objectives. You will also help shape the City cyber security strategy for data security, monitoring and reporting, risk and threat assessment, incident response, business continuity and disaster recovery.
Principal Tasks And Responsibilities
Monitor & Review
1. Contribute and maintain the current information security risk management framework, articulate risk in business terms, identify appropriate mitigation measures and drive their delivery to ensure the security of our information and services.
2. Liaise with key stakeholders to prioritise technology, process and people-based security initiatives to mitigate risks identified and use continuous improvement principles to ensure the evolution of our information security delivery framework.
3. Contribute to the annual information security business plan including audits, tests, risk assessment activities and additions to the information security delivery framework, e.g. policy updates.
4. Identify relevant information security activities in response to changes in standards and regulations.
5. Liaise with key stakeholders to prioritise information security and compliance initiatives.
6. Perform security risk assessments and adversarial testing to establish proportionate risk advising of any relevant enhancements to the information security delivery framework.
7. Accountable for data security measures being in place to meet our policies.
Respond & Remediate
1. Responding to information security incidents in line with the appropriate standards and processes, meeting or exceeding agreed KPIs.
2. Following a regular timetable of security and data protection compliance audits and tests, taking appropriate steps to mitigate any risks discovered.
3. Assist with the development of City’s disaster recovery and business continuity plan.
4. Liaise with internal departments and external suppliers to identify and address Information Security related risks.
5. Initiate, facilitate and promote activities to foster information security and data protection awareness throughout City and its suppliers.
6. To advise on, and to maintain, data protection impact assessments.
7. To be the first point of contact for supervisory authorities and for individuals whose data is processed (colleagues, customers etc).
8. To perform any activities relating to information security and compliance such as awareness-raising, training needs analysis, data migrations, security hardening, breach management and data protection based RFI.
9. Provide assistance in business development bids, PQQs and ITT responses.
10. Other duties deemed appropriate for the role and skillset.
Team Management
1. Input to and fulfil the development hiring plan for the team, including sourcing, screening, and interviewing.
2. Hold regular 1-1s with all direct reports.
3. Set team goals and technical direction while ensuring that they align with the goals of the Technology and Information Security roadmaps.
4. Set personal goals for each team member as well as direction while ensuring they are aligned with team goals.
5. Implement effective engineering processes and policies that emphasize quality and forward progress.
6. Deputise for the Head of Information Security.
Essential KNOWLEDGE, SKILLS & ABILITIES
1. Degree level qualification or equivalent experience in Cyber risk management and information protection.
2. Cyber security essentials.
3. ISO 27001.
4. NIST CSF.
5. Strong Technical Background in Data Classification and Data Loss Prevention.
6. Experience in information security governance, policy and procedure definition.
7. Administration of Active Directory, Azure AD, Windows File Services, SharePoint & Office 365.
8. Implementation of Microsoft Purview and oversight of configuration.
9. Strong broad-based technical background (database, web-based application development, infrastructure etc.).
10. Strong risk-based analysis and decision making skills.
11. Business sense.
12. Communicate Up, Down, and Across All Levels of an Organisation.
13. Pragmatic and flexible approach.
14. Problem-Solver.
15. Excellent interpersonal skills.
16. Creativity.
Desirable
1. CISSP, CRISC or CISM certified.
2. EU GDPR.
3. PCI-DSS.
4. Cloud, Hybrid & Global Enterprise networks.
5. Audit and risk assessment processes.
6. Conducting audits, developing controls & risk assessments.
7. Managing 3rd parties.
8. Demonstrated ability to understand and analyse complex business processes and technologies to make sound recommendations to non-technical constituents.
#J-18808-Ljbffr